From d92d2aa3ce4667faa38454c8dae4fa9f72b91b71 Mon Sep 17 00:00:00 2001 From: Tjeu Kayim <15987676+TjeuKayim@users.noreply.github.com> Date: Thu, 27 Jan 2022 19:57:52 +0100 Subject: [PATCH] Log instead of error MissingOrMalformedExtensions in rustls_native_certs::load_native_certs (#1316) --- src/async_impl/client.rs | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/async_impl/client.rs b/src/async_impl/client.rs index 19438d9..eefc2f2 100644 --- a/src/async_impl/client.rs +++ b/src/async_impl/client.rs @@ -346,12 +346,31 @@ impl ClientBuilder { #[cfg(feature = "rustls-tls-native-roots")] if config.tls_built_in_root_certs { + let mut valid_count = 0; + let mut invalid_count = 0; for cert in rustls_native_certs::load_native_certs() .map_err(crate::error::builder)? { - root_cert_store - .add(&rustls::Certificate(cert.0)) - .map_err(crate::error::builder)? + let cert = rustls::Certificate(cert.0); + // Continue on parsing errors, as native stores often include ancient or syntactically + // invalid certificates, like root certificates without any X509 extensions. + // Inspiration: https://github.com/rustls/rustls/blob/633bf4ba9d9521a95f68766d04c22e2b01e68318/rustls/src/anchors.rs#L105-L112 + match root_cert_store.add(&cert) { + Ok(_) => valid_count += 1, + Err(err) => { + invalid_count += 1; + log::warn!( + "rustls failed to parse DER certificate {:?} {:?}", + &err, + &cert + ); + } + } + } + if valid_count == 0 && invalid_count > 0 { + return Err(crate::error::builder( + "zero valid certificates found in native root store", + )); } }